China Cyber-Insecurity: What Can You Do?

This is my wrap up to my series on China cybersecurity, stemming from the recent webinar at which I discussed cybersecurity in China. To watch that webinar, go here.

To read part 1 of this series, go here. Part 1 described the cybersecurity situation in China. To read part 2 of this series, go here. Part 2 explains why cryptography is not a solution and it looks at the Golden Tax Malware Program as an example of CCP malware. To read Part 3, go here. I discuss how companies are essentially forced to into an insecure network system so as to expose their data to the CCP and I examine the international implications of this.

In this post, I address the practical options foreign companies have for dealing with China’s cybersecurity system.

In response to my recent webinar on Chinese cyber-insecurity, viewers and readers have asked a reasonable question: what can we do to deal with the cyber-insecurity situation in China? How can we operate in China and still protect our critical data? The assumption in this question is that there must be a technical cybersecurity solution that will allow companies and individuals to protect their private technical data in China. The problem is technical, so there must be a technical solution.

This is a symptom of unrealistic techno-optimism. The answer to the question is quite simple and blunt. There is almost nothing you can do. Any form of data you transmit across the Chinese border is available for inspection and use by the Communist Party and its agents. The title of my webinar (No Place to Hide) is not hyperbole. Once within the borders of China, there truly is no place to hide.

So what is to be done? You have three basic choices.

1. Identify the technical data that you do not want the CCP to obtain. Then, do not transfer that data to any location in China for any reason. If this means you cannot do business in China, that is what this means.

2. Simply capitulate and allow your data to be taken by the Party.

3. Assume all your systems in China are compromised. Then work with your cyber-security consultant to design a system in China that will work in a situation where everyone involved knows the system is compromised. This is the kind of program used by people who work in hostile environments. It is the realm of spy-craft and operations behind the lines in times of war. These evasion techniques are regularly provided to dissidents and oppressed persons operating in China. So the evasion techniques exist. The problem is these techniques assume an openly adversarial environment. The people who use these techniques understand punishment will follow if the evasion technique is discovered. For that reason, it is too risky for on the ground managers and employees to to make use of this approach. So though this approach may be technically feasible, application of these techniques is not practical at this time. However, once the problem is understood, it may be possible for foreign cyber-security professionals to design usable techniques that can be safely applied in a compromised environment like China.

These are the three possible responses to the China’s “no place to hide” system. So long as the Party and its agents operate the cyber-insecurity system, there is no place to hide in China. Each entity and individual operating in China must make a frank assessment of the risks of working within the existing system. There is no escape from facing the issue directly.

Consider why any other alternative simply will not work. For example, we can imagine a situation where a powerful foreign investor in China states the following to the regulators:

We know you want to steal the data housed on our servers located in China. We will only transfer that data into China if you provide us with a blanket exemption to the MLPS and the rest of the cyber-insecurity system. We will house our data on servers installed by our own technicians. We will only use equipment we have inspected for malware and back doors. We will use our own encryption and we will not provide you with the keys. We will communicate on our own secure VPN that exempts us from any control by the Great Firewall. We will use our own, foreign based, anti-virus software. Our network systems will operate using the most advanced server and operating system software.

We know this system is not compliant with China’s cyber-security, surveillance and control system. But allowing us to use our non-compliant system that operates outside the Great Firewall and outside the cyber-insecurity system is the price China must pay for our company to operate within China or to transfer any technology of any kind into China. Take it or leave it.

Since this demand violates Chinese law and policy, the Chinese government will reject it. But for purposes of this discussion, assume the Chinese authorities agreed to allow a foreign investor to operate within China making use of this kind of system. It still would not work. As I outlined in my webinar and my webinar report, the Chinese system forces anyone operating in China into an insecure environment and once in that insecure environment, any system of cyber-security will fail. Thinking a cyber-solution will provide a place to hide is a dangerous fantasy.

In my webinar, I described some of the ways the PRC system drives all persons and entities into an insecure network environment. As I noted in the webinar, the ultimate goal of the PRC regulators is to install malware on all network devices. A primary target in this program is smart phones. In China today, nobody can function without a smart phone. Virtually every aspect of daily life and business life requires smart phone apps. The Party and its agents understand this, and they therefore focus on installing malware on smart phones.

The forced use of WeChat is an example of how the system works. Some of our readers have asked whether they should be concerned with WeChat as a vector for malware infection on their systems. This question misses the issue. WeChat IS malware. If you install WeChat on your system, you are installing malware. No sophisticated phishing campaign is required. You did it yourself. There is a reason for this. No company can do business in China without using WeChat. There is no escaping this if you operate in China or if, outside China, you work with Chinese companies and individuals.

As with the Golden Shield tax malware, virtually every smartphone application distributed by the PRC government is a form of malware. The following are some examples of this.

1. Study of Xi Jinping thought is now mandatory in China. The Party has created a smartphone app intended to promote that study: the Study the Great Nation App. Over 100,000,000 Chinese have downloaded the app. Since advancement within the Party and the bureaucracy requires using the app (and since use is monitored), it is regularly accessed. The app is more than an educational tool, it is a form of malware and it does all of the following: information gathering, file transmission and protection, code execution and backdoors, obfuscation for hiding functionality, and collaboration with external companies. The average foreign executive will not have this app installed. But the Party cell members in her office and the people with whom she does business will also. So there is no effective way to avoid the reach of the app and its data gathering functions.

2. Many governments in China have created smart phone applications to monitor self quarantine and other measures as part of their coronavirus control programs. The best known of these was created in Hangzhou and, as with the Great Nation app, this app is also a form of malware. This app is required for the daily functions of life: entry into neighborhoods, purchase of train and bus tickets, entry into shopping malls. This app cannot be avoided.

3. Even foreign tourists and other foreign visitors to China are forced into China’s smartphone malware system. It has become a regular procedure for China border control to inspect the smartphone of every person entering into China and these inspections are particularly thorough for entry into sensitive areas such as Xinjiang and Tibet. As part of the inspection process, border agents now routinely install tracking malware on those smartphones and tourists are not permitted to opt out because compliance is a condition of entry. This procedure demonstrates how China’s cyber-insecurity system works. Step One, police inspection is mandatory. Step Two, the police take any data they want to take. Step Three, the police leave behind tracking malware (RAT) to make the network device permanently accessible by the Chinese government and its favored companies. This is exactly what the MPS will do when “inspecting” office computer networks and offsite cloud systems. Inspection is cover for insertion of malware. Insertion of malware is the primary goal.

So as we can see, all networked systems are treated the same way: smartphones, computer networks, cloud systems. The CCP’s goal is to push all users of these networks into an insecure environment. Many of our readers have expressed concerns about using Chinese hardware. They believe they can escape from Chinese data monitoring by using their own self certified hardware devices. But hardware is not the issue. The issue is software. The Party and its agents will allow you to use the hardware of your choice. The cyber-insecurity system because it imposes its system on you by forcing you into a compromised, insecure software environment. If you are in China or dealing with China, you are part of China’s monitoring system.

Your hardware does not matter for China, though it is true that much Made in China hardware (see Huawei’s 5G system) has been developed to monitor outside China. This can be seen by the continued saga of the attempts of Huawei to participate in the roll out of 5G networks in the United Kingdom. Even though Huawei has been under intense pressure to deal with security concerns in the U.K, the U.K. Huawei Oversight Board has announced Huawei systems fail to meet minimum security standards.

The reason for the failure is NOT related to Huawei hardware, which itself is not great. The security issues are related to the software component. “Sustained evidence of poor coding practices was found, including evidence that Huawei continues to fail to follow its own internal secure coding guidelines.” The report found “critical, user-facing vulnerabilities” in fixed access products caused by “particularly poor code quality” and the use of an old operating system.

This echoes my basic description of the way the insecure system works: users are forced to use poorly written government mandated software and outdated operating systems. Even when pushing out product to a very suspicious foreign government, Huawei is not able to escape from the basic structure of the PRC’s cyber-insecurity regime because its sales within China require they operate this way. This is all is a feature of a system that prioritizes CCP monitoring over revenues.

This then takes us back to the initial question: What can be done when there is no practical way to protect network data that crosses the Chinese border? The Chinese cyber-insecurity system is designed to make all networks of any kind open to access by the Party and its agents. This access includes collection and use of all data available on every network operating within the borders of the PRC. For a foreign invested enterprise, this means access to and use of all technical data that crosses the Chinese border.

So the answer to what can be done is that you understand the reality. Do not fool yourself into thinking you can defeat China’s all- pervasive cyber-insecurity system. In that sense, the answer is quite simple: if there is data you do not want the CCP to access, do not send that data to China. For years, foreign investors have worked to find a “workaround” to the Chinese system. There is no work around. China does not do loopholes.

The title of my webinar said it all: There is no place to hide.